Product Design Workflow
PassAudited by ClawScan on May 10, 2026.
Overview
No malicious behavior is evident, but the skill is designed to receive server credentials, upload public demos, report to a group, and potentially run on a daily schedule.
Install only if you intend to let the agent publish generated HTML demos to your server and report results to a group. Use a restricted server account, verify the upload path and group ID, and make any daily schedule explicit and easy to stop.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent will have enough information to log in to the target server and write to the configured path.
The skill asks for SSH-style server credentials so it can upload generated demos.
- 服务器配置:server-host, server-user, server-pass, server-path, preview-domain
Use a least-privilege server account restricted to the demo directory, avoid sharing an admin password, and rotate the password if it is exposed.
Incorrect arguments or generated files could publish the wrong content or write to the wrong server path.
The workflow runs a local upload script that mutates a remote server location.
运行 `scripts/upload_demos.py` 上传到服务器
Review generated demo files and upload parameters before running the upload step, and use a dedicated server-path for this workflow.
If scheduled, it may continue generating, uploading, and reporting content every day.
The skill is explicitly intended to run as a recurring daily workflow, although no hidden persistence mechanism is shown in the provided artifacts.
完整的产品设计全流程(含每日定时任务+汇报机制)
Set an explicit schedule, owner, stop condition, and approval policy for uploads and group reports.
Generated ideas, PRDs, demo URLs, or status updates could be sent to the wrong group if the ID is incorrect.
The workflow sends step-by-step reports to a user-specified group.
- 汇报群ID:target-group-id
Verify the group ID and avoid including sensitive internal information in reports unless the group membership is appropriate.
Published demos will rely on external CDN availability and may expose normal browser metadata to that third party.
Generated HTML templates depend on a third-party CDN resource.
<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.4.0/css/all.min.css">
Mirror third-party assets locally or add integrity controls if the demos are used in a sensitive environment.
Public demos may include third-party branding or outbound links the user did not expect.
The shared footer inserted into generated pages contains a fixed external brand link.
<a href="https://www.dix-ai.com" target="_blank" rel="noopener noreferrer"
Review and customize the header/footer assets before publishing demos under your own domain.